[clo-devel] Re: Please upload your public GPG key to common-lisp.net

Anthony Ventimiglia anthony at ventimiglia.org
Tue Nov 11 00:14:47 UTC 2003

Erik Enge writes:
 >   Once the package has been signed, the user can then download the
 >   package pluss the author's public key and verify that the public key
 >   at hand signed the package he or she just downloaded.
 >   The weak link is of course that the user doesn't know if the public
 >   key is the author's or not.  Here's where our signing policy comes
 >   into play.  When developers apply for a project at common-lisp.net
 >   they receive their passwords encrypted (by mail) and if they
 >   successfully decrypt and answer the email, their public key will be
 >   signed by the common-lisp.net keymaster.  Thus, the users will have a
 >   means of verifying that they have the correct key.

Sounds great, how will we handle signing of those of us that are
already members ?
(incf *yankees-world-series-losses*)

More information about the clo-devel mailing list